Consumers are scared stiff of sending their credit-card numbers across the net to vendors like Time Warner. But elite hackers and security specialists do it without worry. Why? Because the public is mesmerised by media reports of Web attacks, focusing on a threat unlikely to affect them and ignoring the real danger.
For example, when someone stole thousands of credit-card numbers from ESPN and NBA Web customers this quarter, it confirmed many people's fears that the Internet is a dangerous place to do business. But those numbers were stolen off a server, not intercepted as buyers typed them in.
"The whole perception now is how 'unsafe' it is to purchase things on the Internet," says Vicki Zilaitis, director of technology at Time Warner's New Media division in New York. "As a community, that hurts all of us."
Is there really that much to fear in cyberspace? An overwhelming number of computer security specialists and hackers - including the renowned Dark Tangent - say they buy on the Web.
"I do it all the time, and it doesn't worry me," says William Orvis. Orvis says he hears a lot of Internet security horror stories as a member of the Computer Incident Advisory Team at the University of California Lawrence Livermore National Laboratory in Livermore, California. "I don't think it's any worse than [giving a credit-card number] on the telephone."
Security experts said the volume of traffic on the Internet makes it unlikely that an individual credit-card number will be swiped. Fishing for credit-card numbers on the Internet also is likely to be unprofitable for the hacker, experts said, because it would be tough to pinpoint which packets contain credit-card data.
Even if hackers could accurately target such packets, most financial transactions are now conducted via Secure Sockets Layer encryption. It wouldn't be worthwhile for a hacker to spend hours on the computer trying to decrypt the data just to pick up a single credit-card number, security experts say.
"People misunderstand where the threat lies," says Winn Schwartau, president of The Security Experts Inc. in Largo, Florida.
A more lucrative and easier target - and therefore a larger worry - is how data is secured from attack or mishap once it reaches its destination.
For example, a Daly City, California, man recently was accused of stealing 100,000 credit-card numbers by breaking in to the servers of an Internet service provider and several companies that conduct business online.
But simple mistakes also may be hazardous. A major credit-reporting agency, Experian Inc., last month shut down its Web site after several of its reports on individuals were inadvertently sent to the wrong customers. Experian officials blamed the snafu on a software glitch that showed up only with an unexpectedly high volume of users; the system hadn't been tested for peak loads.
Public opinion polls, such as one conducted by Nielsen Media Research and CommerceNet, indicate that security fears are the single biggest obstacle for Internet users who make purchases on the Web.
"The media's done a real good job of creating paranoia," Schwartau says.
A lack of hard data about how common Internet theft is has left the business community with little way to measure the risk of electronic commerce against its potential reward.
"The market is too new to know what the reality is," says Steve Herz, senior vice president for Internet commerce at Visa International in San Mateo, California. "Reality is based on experience. The Internet has not been in place there long enough for there to be experience. The Internet is all anecdotal."
But anecdotes rev up consumers more than other, more measurable forms of electronic theft.
Cellular phone fraud, for example, costs US$600 million per year - about 4% of the industry's gross revenue, according to the Cellular Telecommunications Industry Association in Washington.
But few people fear using a cellular phone because of it. Companies haven't shied away from offering cellular phone service, and few big cases of cellular phone fraud hit the nightly news.
Individual cybermerchants soon may not have to worry about safeguarding such hot data.
The Secure Electronic Transaction (SET) technology being developed by Visa, MasterCard International Inc. and other major credit-card companies, as well as hardware and software vendors, was designed to make it easier for buyers and sellers to securely exchange credit-card information over the Internet.
Buyers register with a bank and use digital certificates, not credit cards, to make purchases. So credit-card numbers never make it to the Internet.
Many information systems executives said SET is a big step toward secure Web purchasing. But some said a technological answer to Internet security may not be enough to lure consumers online.
"The perception [of a security threat] is there," Herz said. "And if we want Internet commerce to grow up, we're going to need to address that perception."